# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix
{ config, lib, pkgs, ... }:
let
  user = "drone-runner-exec";
  group = "drone-runner-exec";

  availablePkgs = with pkgs; [
    bash
    git
    git-lfs
    gnutar
    gzip
    nix
  ];
in
{
  systemd.services.drone-runner-exec = {
    wantedBy = [ "multi-user.target" ];
    # might break deployment
    restartIfChanged = false;
    confinement = {
      enable = true;
      packages = availablePkgs;
    };
    path = availablePkgs;
    environment = {
      DRONE_RPC_HOST = "ci.sbruder.de";
      DRONE_RPC_PROTO = "https";
      DRONE_RUNNER_CAPACITY = "2";
      NIX_REMOTE = "daemon";
      PAGER = "cat";
    };
    serviceConfig = {
      EnvironmentFile = lib.singleton config.sops.secrets.drone-rpc-environment.path;
      BindPaths = [
        "/nix/var/nix/daemon-socket/socket"
        "/run/nscd/socket"
      ];
      BindReadOnlyPaths = [
        "/etc/group:/etc/group"
        "/etc/machine-id"
        "/etc/nix:/etc/nix"
        "/etc/passwd:/etc/passwd"
        "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"
        "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
        "/nix"
      ];
      ExecStart = "${pkgs.unstable.drone-runner-exec}/bin/drone-runner-exec";
      User = user;
      Group = group;
    };
  };

  users.users."${user}" = {
    isSystemUser = true;
    inherit group;
  };
  users.groups."${group}" = { };
}